Active Directory account lockout from OS X Server

I'm looking for assistance in tracking down why our 10.9 Mac server is constantly trying to use my Active Directory account. I changed my password a week ago and have been getting locked out constantly, and it appears the lockouts are coming from invalid password attempts from this OS X server. However, I don't know why the server would be using my AD credentials since I login to the Mac with an admin account and not my own. The only thing I can think of that may have used my AD credentials is connecting to a network file share at some point in the past, but I wouldn't have saved the credentials and it shouldn't be auto-mapping the share. The Mac itself is bound to Active Directory too.
I checked the Login Items and there is nothing there. I also reset the keychain to defaults and that didn't help. Does anyone else have any ideas for me to try to narrow down what the OS X server may be trying to use my credentials for?

So I'm going to guess I'm the only one that's ever had this issue...
Further digging with Wireshark shows that the OS X server is indeed issuing bind requests using my old AD account credentials multiple times per minute. I tried unbinding and rebinding, but that didn't help. The requests also start right away after a reboot, so whatever is using my credentials is doing so prior to any user logins on the server. Now I'm trying to track down what is actually issuing these requests on the server
In a span of a few seconds the machine issues three bind requests. The first is
bindRequest (1) "[email protected]" simple
Followed by
bindRequest (1) "<ROOT>" sasl
then
bindRequest (2) "<ROOT>" sasl
Anyone have an idea for me as to how to track down where my user account comes into play? It wasn't used to bind the machine to AD, I didn't see it anywhere in the keychain, and I only have a few apps running on the server, none of which use AD authentication or would request binding.

Similar Messages

Active Directory accounts no longer connect to Server

I administrate a small office network.
We have a Windows 2000 Server with active directory and a Windows 2003 Storage Server Appliance. (From Iomega)
After upgrading to 10.4.8 (it seems), our Mac integrated to the Active Directory has had problems connecting to the storage server.
When attempt to connect to smb://storage (the 2003 server appliance) we get a Error code -36 -- could not be read or written.
This only happens when logged into an AD account. Local accounts on the machine access the server as normal.
Also of note, the AD accounts have no problems accessing shares on the 2000 server.
Any ideas why this is only effecting AD accounts and a solution?

There are a couple of things you can check...
1. Check to make sure that the SMB signing option is disabled for the Windows 2003 Storage appliance. This can be done in the local group policy on the Server.
2. If it is a storage appliance, you should be able to run Microsoft's Services for Macintosh. This would give you AFP on the file server - a potential way to eliminate the need for using SMB on the Macs.
3. Use a 3rd party software on the Windows 2003 Storace Server called ExtremeZ-IP by Group Logic. It is a full featured AFP/IP file server for Windows (replacing SFM). We have an HP DL380 NAS device on our network (running Windows 2003 Storage Edition) that has 1.5 TB of storage for our MAc users. We use ExtremeZ-IP... I have nothing bu great things to say for it...

Active directory account lockout issue

I have 1 main AD server which is on windows 2003 R2 and all users are authenticated from this server and second ADC i.e backup ADC which is on windows 2003 R2, we have 3rd ADC on windows 2008 R2 which is created for Exchange 2010 on windows
2008R2,
Users are getting Account lock out issue randomly.
Can any one help on this.

Hi,
You can start with the below threads to see if you have prepared to determine lockouts sources.
http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx
Use Lokoutstatus from Altools (http://www.microsoft.com/en-us/download/details.aspx?id=18465) then check the source DC where lockouts are being reported. Use the event viewer on
that DC and look for "failure audits" for that particular user acocunt or during that time frame reported on lockoutstatus. Use the event description to find the source workstations/server where the lockout is coming from and verify that server for
any (disconnect RDP sessions, credentials manager, services running with domain accounts,applications,etc).
Hope this helps.
Regards,
Calin

'Public' Active Directory account no longer works w/Tiger?

We have approx 20 public Macs that all log onto our Windows 2003 server using the same Active Directory account - 'Public'
This has worked fine until Tiger - Now when we attempt to log onto one of our network drives with this account name I'm told by a pop-up window that the account is either disabled or I've put the password in incorrectly.
Can anyone confirm if 'Public' cannot be used by a user on Tiger? Is it exclusively for the OS?

Ran accross this in help file...
"Mac OS X 10.3 or later: "Invalid user name and password combination" Message When Using Active Directory
When binding a Mac OS X client computer to Active Directory, the account entered is not validated (resolved) at that time. It is used as entered. If entered incorrectly, you will see an alert message later.
Symptom
After configuring the Active Directory Directory Access plug-in, an alert message appears at the client computer that says "invalid user name and password combination."
Products affected
Mac OS X 10.3 or later
Solution
This happens when an incorrect name and/or password is entered, including a username entered with incorrect syntax.
The user's login name (also known as "PrincipalName") is required when binding a computer to Active Directory.
The user can also use the short part of the login name (such as "virginia"). The typical syntax of a login name is similar to "[email protected]".
Note: If the user's login name has been modified from the default "[email protected]", then the default login name must be used. The modified login name (such as "[email protected]") cannot be used."

Creating Active Directory Accounts for vSphere 5.1 Services

To set up the management pieces of vSphere, I need to have an account or accounts created in Active Directory. I need to determine how many to create and what permissions they need.
In Single Sign on Server, I need to choose an account that vCenter server will use when it connects to SSO. I can use the default admin@system-domain. Or I can add an account that is configured in Active Directory. Or, I can also use an active directory group instead of an individual user. What is the best way to do this and if I use an AD account, what permissions does it need at the domain level and at the local level on the Single Sign on Server? (I'm using multisite mode, so I can't use local accounts)
In SQL Server, I need to choose an account to use for the SQL server service. Should this account be an active directory account or a local user account? If so, what permissions should be assigned to the account in Active Directory and what permissions should be assigned to it on the local machine? What AD group, if any should it be a part of? What local permissions does it need?
In vCenter Server, I need to choose an account to run the "vCenter Server Service" in. Is it best to use the default "system" account or to use an account from Active Directory, or a local account?
I'm trying to get a big picture of an AD account/group strategy to use that covers the main management pieces of vSphere - vCenter Server, Single Sign on, Inventory Service, Web Client Services.
For example, create one group called "vSphere Services", then create separate accounts for each management piece, and assign them specific permissions on specific systems. Or create separate groups for each management piece and assign permissions to the groups. Is it better to consolidate some of these user names or split them out? Any experiences / suggestions welcome. Thanks.

Hello,
For general services I use a service specific account within AD. This was before SSO and I use the same after SSO. SSO is used by only two services that I know about at the moment (Inventory Service and perhaps vCloud). However, there are many other service accounts that should be created. You want one account per service and I use AD for this, this way I can create a service account group and give it the appropriate roles and privileges. FOr example I have service accounts for:
VMware View
XenDesktop
vCops
HPSIM
Solarwinds
VMTurbo
NetApp
etc.
One service, one service account, each with either a general role or custom role depending on access requirements to vCenter.
For SSO, I to am waiting on general information, but I set mine up fairly basically to cover only those resources that make use of SSO. Since the vast majority of items do not use SSO, the rule still applies. Once SSO is supported by more than one or two tools, you still need to maintain that separation.
So I say yes, tie SSO to AD and do everything in one place, unfortunately, that is not very clear, or at least was not to me and these SSO issues are either beng fixed, documented, or both.
Best regards,
Edward L. Haletky aka Texiwill

Powershell Active Directory Account Expiration Script

I am putting together a script that creates a user account in AD, sets the password, adds groups, etc. The part I am having problems with is when the user selects the Contractor employee option and is prompted for the expiration date of the AD account.
The script will create the account, but the expiration date is not set in AD. Any suggestions?
Here's the code:
#Script to create Active Directory account
#Add the Active Directory Module if not already present
if (-not (Get-Module ActiveDirectory))
Import-Module ActiveDirectory -Force
Write-Host ""
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host ""
Write-Host "Computer Access"
Write-Host "Create Active Directory User Script"
Write-Host "PowerShell 3.0"
Write-Host "Version: 1.2"
Write-Host "Date: 4/14/2014"
Write-Host "Author: "
Write-Host ""
Write-Host "Please review the created Active Directory Account" -ForegroundColor Red -BackgroundColor Yellow
Write-Host ""
Write-Host "Base Business Unit Group Memberships are added only" -ForegroundColor Red -BackgroundColor Yellow
Write-Host ""
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host ""
Write-Host ""
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host "Creating Active Directory Account" -ForegroundColor Yellow
Write-Host "======================================================" -ForegroundColor DarkYellow
Write-Host ""
#Specify the target OU for new users
$targetOU = "OU=Personnel,OU=ETA,DC=eta,DC=state,DC=tx"
#Find the current domain info
$domdns = (Get-ADDomain).dnsroot # for UPN generation
#Set Account Variables
#Set Username with Dialogue Box
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Username"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
    {$global:setusername=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
    {$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setusername=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the username for the account:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$samname = ($setusername | Out-String)
$samname = ($setusername) + ("")
function validateUser
    param(
    [string]$username
    #if the username is passed without domain\
    if(($username.StartsWith("domain\")) -eq $false)
        $user = Get-ADUser -Filter { SamAccountName -eq $username }
        if (!$user)
            return $false
        else
            return $true
    elseif(($username.StartsWith("domain\")) -eq $true)
        $username = ($username.Split("\")[1])
        $user = Get-ADUser -Filter { SamAccountName -eq $username }
        if (!$user)
            return $false
        else
            return $true
$usercheck = validateUser -username $samname
if($userCheck -eq $true) {
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
[Windows.Forms.MessageBox]::Show("Username already exists in AD please check and retry",`
"Username Check", [Windows.Forms.MessageBoxButtons]::OK, [Windows.Forms.MessageBoxIcon]::Stop)
[environment]::Exit(0)
else {} #Continue
Write-Host ""
Write-Host "USERNAME has been set to" $samname -ForegroundColor Yellow
#Set User Accounts First Name
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "First Name"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
    {$global:setfirstname=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
    {$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setfirstname=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the users first name:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$givname = ($setfirstname | Out-String)
$givname = ("$setfirstname") + ("")
Write-Host ""
Write-Host "FIRST NAME has been set to" $givname -ForegroundColor Yellow
#Set User Accounts Last Name
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Last Name"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
    {$global:setlastname=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
    {$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setlastname=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the users last name:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$surname = ($setlastname | Out-String)
$surname = ("$setlastname") + ("")
Write-Host ""
Write-Host "LAST NAME has been set to" $surname -ForegroundColor Yellow
#Set the Department Number for the Active Directory Account
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Cost Center"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
    {$global:setcostcode=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
    {$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setcostcode=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,20)
$objLabel.Text = "Please enter the cost center for the account:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,40)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set variable and continue
$costcode = ($setcostcode | Out-String)
$costcode = ("$setcostcode") + ("")
Write-Host ""
Write-Host "COSTCODE has been set to" $costcode -ForegroundColor Yellow
#This creates a checkbox called Employee
$objTypeCheckbox = New-Object System.Windows.Forms.Checkbox
$objTypeCheckbox.Location = New-Object System.Drawing.Size(10,220)
$objTypeCheckbox.Size = New-Object System.Drawing.Size(500,20)
$objTypeCheckbox.Text = "Employee"
$objTypeCheckbox.TabIndex = 4
$objForm.Controls.Add($objTypeCheckbox)
#This creates a checkbox called Citrix User
$objCitrixUserCheckbox = New-Object System.Windows.Forms.Checkbox
$objCitrixUserCheckbox.Location = New-Object System.Drawing.Size(10,240)
$objCitrixUserCheckbox.Size = New-Object System.Drawing.Size(500,20)
$objCitrixUserCheckbox.Text = "Citrix User"
$objCitrixUserCheckbox.TabIndex = 5
$objForm.Controls.Add($objCitrixUserCheckbox)
#Set Permanent or Contractor (Expiration Date)
[void][reflection.assembly]::Load("System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
[void][reflection.assembly]::Load("System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
[System.Windows.Forms.Application]::EnableVisualStyles()
$form1 = New-Object 'System.Windows.Forms.Form'
$datetimepicker1 = New-Object 'System.Windows.Forms.DateTimePicker'
$radiobuttonPermanent = New-Object 'System.Windows.Forms.RadioButton'
$radiobuttonContractor = New-Object 'System.Windows.Forms.RadioButton'
$buttonOK = New-Object 'System.Windows.Forms.Button'
$InitialFormWindowState = New-Object 'System.Windows.Forms.FormWindowState'
$radiobuttonContractor_CheckedChanged={
    if($radiobuttonContractor.Checked){
        $datetimepicker1.Visible=$true
   }else{
        $datetimepicker1.Visible=$false
$Form_StateCorrection_Load=
   #Correct the initial state of the form to prevent the .Net maximized form issue
   $form1.WindowState = $InitialFormWindowState
$Form_Cleanup_FormClosed=
   #Remove all event handlers from the controls
   try
       $radiobuttonContractor.remove_CheckedChanged($radiobuttonContractor_CheckedChanged)
       $form1.remove_Load($FormEvent_Load)
       $form1.remove_Load($Form_StateCorrection_Load)
       $form1.remove_FormClosed($Form_Cleanup_FormClosed)
   catch [Exception]
$form1.Controls.Add($datetimepicker1)
$form1.Controls.Add($radiobuttonPermanent)
$form1.Controls.Add($radiobuttonContractor)
$form1.Controls.Add($buttonOK)
$form1.AcceptButton = $buttonOK
$form1.ClientSize = '508, 262'
$form1.FormBorderStyle = 'FixedDialog'
$form1.MaximizeBox = $False
$form1.MinimizeBox = $False
$form1.Name = "form1"
$form1.StartPosition = 'CenterScreen'
$form1.Text = "Form"
$form1.add_Load($FormEvent_Load)
# datetimepicker1
$datetimepicker1.Location = '160, 91'
$datetimepicker1.Name = "datetimepicker1"
$datetimepicker1.Size = '200, 20'
$datetimepicker1.TabIndex = 3
$datetimepicker1.Visible = $False
# radiobuttonPermanent
$radiobuttonPermanent.Location = '33, 57'
$radiobuttonPermanent.Name = "radiobuttonPermanent"
$radiobuttonPermanent.Size = '104, 24'
$radiobuttonPermanent.TabIndex = 2
$radiobuttonPermanent.TabStop = $True
$radiobuttonPermanent.Text = "Permanent"
$radiobuttonPermanent.UseVisualStyleBackColor = $True
# radiobuttonContractor
$radiobuttonContractor.Location = '33, 87'
$radiobuttonContractor.Name = "radiobuttonContractor"
$radiobuttonContractor.Size = '104, 24'
$radiobuttonContractor.TabIndex = 1
$radiobuttonContractor.TabStop = $True
$radiobuttonContractor.Text = "Contractor"
$radiobuttonContractor.UseVisualStyleBackColor = $True
$radiobuttonContractor.add_CheckedChanged($radiobuttonContractor_CheckedChanged)
# buttonOK
$buttonOK.Anchor = 'Bottom, Right'
$buttonOK.DialogResult = 'OK'
$buttonOK.Location = '421, 227'
$buttonOK.Name = "buttonOK"
$buttonOK.Size = '75, 23'
$buttonOK.TabIndex = 0
$buttonOK.Text = "OK"
$buttonOK.UseVisualStyleBackColor = $True
#endregion Generated Form Code
#Save the initial state of the form
$InitialFormWindowState = $form1.WindowState
#Init the OnLoad event to correct the initial state of the form
$form1.add_Load($Form_StateCorrection_Load)
#Clean up the control events
$form1.add_FormClosed($Form_Cleanup_FormClosed)
#Show the Form
$form1.ShowDialog()
#Set the password for the new user account
#Change P@$$w0rd to whatever you want the account password to be
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objForm = New-Object System.Windows.Forms.Form
$objForm.Font = New-Object System.Drawing.Font("Arial",10)
$objForm.Text = "Password"
$objForm.Size = New-Object System.Drawing.Size(300,200)
$objForm.StartPosition = "CenterScreen"
$objForm.KeyPreview = $True
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter")
    {$global:setpassword=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape")
    {$objForm.Close()}})
$OKButton = New-Object System.Windows.Forms.Button
$OKButton.Location = New-Object System.Drawing.Size(75,120)
$OKButton.Size = New-Object System.Drawing.Size(75,23)
$OKButton.Text = "OK"
$OKButton.Add_Click({$global:setpassword=$objTextBox.Text;$objForm.Close()})
$objForm.Controls.Add($OKButton)
$CancelButton = New-Object System.Windows.Forms.Button
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)
$CancelButton.Text = "Cancel"
$CancelButton.Add_Click(
{$Looping=$False
$objForm.Close()
[environment]::Exit(0)
$objForm.Controls.Add($CancelButton)
$objLabel = New-Object System.Windows.Forms.Label
$objLabel.Location = New-Object System.Drawing.Size(10,20)
$objLabel.Size = New-Object System.Drawing.Size(280,40)
$objLabel.Text = "Please enter the password you wish to set. Press Enter for P@SSw0rd:"
$objForm.Controls.Add($objLabel)
$objTextBox = New-Object System.Windows.Forms.TextBox
$objTextBox.Location = New-Object System.Drawing.Size(10,60)
$objTextBox.Size = New-Object System.Drawing.Size(260,20)
$objForm.Controls.Add($objTextBox)
$objForm.Topmost = $True
$objForm.Add_Shown({$objForm.Activate(); $objTextBox.focus()})
[void] $objForm.ShowDialog()
#If OK then set password and continue
$userpassword = ($setpassword | Out-String)
$userpassword = ("$setpassword") + ("")
if ($userpassword -eq "") {$userpassword = 'P@SSw0rd'}
$password = (ConvertTo-SecureString $userpassword -AsPlainText -Force)
#Set Variables for New-ADUser cmdlet
$dplname = "$surname, $givname"
$upname = "$givname.$surname" + "@" + "$domdns"
$email = "$givname" + "." + "$surname" + "@eta.state.tx.us"
$office = "WBT"
$description = "$costcode"
$description2 = "611IS - Permanent"
$description3 = "611PM - Permanent"
$description4 = "501 - Permanent"
##$loginscript = "yourloginscriptname"
$servername = "teafs2"
$homedir = "\\$($servername)\User\$($samname)"
$homedirpath = "\\$($servername)\User\$($samname)"
$Company= "ETA"
$department = "yourdepartment"
$department4 = "School Finance"
$departmentnumber = "" + "-" + "$costcode"
Write-Host ""
Write-Host "HOME SERVER is" $servername -ForegroundColor Yellow
Write-Host ""
Write-Host "HOME DIRECTORY has been set to" $homedir -ForegroundColor Yellow
Write-Host ""
Write-Host "DEPARTMENT has been set to" $department -ForegroundColor Yellow
Write-Host ""
Write-Host "DESCRIPTION has been set to" $departmentnumber -ForegroundColor Yellow
Write-Host ""
#Create Active Directory Account
New-ADUser -Name $dplname -SamAccountName $samname -DisplayName $dplname `
-givenname $givname -surname $surname -userprincipalname $upname -emailaddress $email `
-Path $targetou -Enabled $true -ChangePasswordAtLogon $true -Department $department `
-OtherAttributes @{'departmentNumber'="$departmentnumber"} -Company $Company -HomeDrive "H" -HomeDirectory $homedir `
-Description $description -Office $office -ScriptPath $loginscript -AccountPassword $password `
#Add User to Active Directory Groups Based on Description Field
If ((Get-ADUser $samname -Properties description).description -eq $description2) {
Add-ADGroupMember -Identity "CN=InformationSystemsPrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=InformationSystemsOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=InformationSystemsNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
If ((Get-ADUser $samname -Properties description).description -eq $description3) {
Add-ADGroupMember -Identity "CN=ProjectMgmtNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=ProjectMgmtOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=ProjectMgmtPrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Cognos ETASE Dev-Test-Prod,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=PMO ALL,OU=Distribution Groups,OU=Mailbox accounts,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=PMO Permanent,OU=Distribution Groups,OU=Mailbox accounts,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
If ((Get-ADUser $samname -Properties description).description -eq $description4) {
Add-ADGroupMember -Identity "CN=SchoolFinancePrintGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=SchoolFinanceOUDataGroup,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=SchoolFinanceNetworkAccess,CN=Groups,OU=ETA,DC=tea,DC=state,DC=tx" -Member $samname
Add-ADGroupMember -Identity "CN=Mail users,OU=Groups,DC=tea,DC=state,DC=tx" -Member $samname
#Does the user require a mailbox?
$mailbox = New-Object -ComObject wscript.shell
$intAnswer = $mailbox.popup("Does this user require a mailbox?", `
0,"Create Mailbox",32+4)
If ($intAnswer -eq 6) {
    Add-ADGroupMember -Identity "YourADGroupName5" -Member $samname
    $mailbox.popup("User added to EMail Provisioning Group", `
    0,"Created",64+0)
} else {
    $mailbox.popup("User has not been added to the EMail Provisioning Group", `
    0,"Not Created",64+0)
#Does the user require a LYNC Account?
$lyncaccount = New-Object -ComObject wscript.shell
$intAnswer = $lyncaccount.popup("Does this user require a LYNC Account?", `
0,"Create LYNC Account",32+4)
If ($intAnswer -eq 6) {
    Add-ADGroupMember -Identity "YourADGroupName6" -Member $samname
    $lyncaccount.popup("User added to LYNC Provisioning Group", `
    0,"Created",64+0)
} else {
    $lyncaccount.popup("User has not been added to the LYNC Provisioning Group", `
    0,"Not Created",64+0)
#Create Home Directory and Set Permissions on Home Directory
New-Item -path $homedirpath -type directory
$acl = Get-ACL -path $homedirpath
$permission = "yourdomainname\$($samname)","Modify","ContainerInherit,ObjectInherit","None","Allow"
$accessrule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessrule)
$acl | Set-ACL -path $homedirpath
##Set Share Permissions on Home Directory
$Computer = $servername
$Class = "Win32_Share"
$Method = "Create"
$name = $sharename
$path = $sharedirpath
$description = ""
$sd = ([WMIClass] "\\$Computer\root\cimv2:Win32_SecurityDescriptor").CreateInstance()
$ACE = ([WMIClass] "\\$Computer\root\cimv2:Win32_ACE").CreateInstance()
$Trustee = ([WMIClass] "\\$Computer\root\cimv2:Win32_Trustee").CreateInstance()
$Trustee.Name = "EVERYONE"
$Trustee.Domain = $Null
$Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)
$ace.AccessMask = 2032127
$ace.AceFlags = 3
$ace.AceType = 0
$ACE.Trustee = $Trustee
$sd.DACL += $ACE.psObject.baseobject
$mc = [WmiClass]"\\$Computer\ROOT\CIMV2:$Class"
$InParams = $mc.psbase.GetMethodParameters($Method)
$InParams.Access = $sd
$InParams.Description = $description
$InParams.MaximumAllowed = $Null
$InParams.Name = $name
$InParams.Password = $Null
$InParams.Path = $path
$InParams.Type = [uint32]0
$R = $mc.PSBase.InvokeMethod($Method, $InParams, $Null)
switch ($($R.ReturnValue))
0 {Write-Host "Share:$name Path:$path Result:Success"; break}
2 {Write-Host "Share:$name Path:$path Result:Access Denied" -foregroundcolor red -backgroundcolor yellow;break}
8 {Write-Host "Share:$name Path:$path Result:Unknown Failure" -foregroundcolor red -backgroundcolor yellow;break}
9 {Write-Host "Share:$name Path:$path Result:Invalid Name" -foregroundcolor red -backgroundcolor yellow;break}
10 {Write-Host "Share:$name Path:$path Result:Invalid Level" -foregroundcolor red -backgroundcolor yellow;break}
21 {Write-Host "Share:$name Path:$path Result:Invalid Parameter" -foregroundcolor red -backgroundcolor yellow;break}
22 {Write-Host "Share:$name Path:$path Result:Duplicate Share" -foregroundcolor red -backgroundcolor yellow;break}
23 {Write-Host "Share:$name Path:$path Result:Reedirected Path" -foregroundcolor red -backgroundcolor yellow;break}
24 {Write-Host "Share:$name Path:$path Result:Unknown Device or Directory" -foregroundcolor red -backgroundcolor yellow;break}
25 {Write-Host "Share:$name Path:$path Result:Network Name Not Found" -foregroundcolor red -backgroundcolor yellow;break}
default {Write-Host "Share:$name Path:$path Result:*** Unknown Error ***" -foregroundcolor red -backgroundcolor yellow;break}

Would you be able to show me how it's done?
Here's an example:
$date = Read-Host 'Enter a date (e.g. 4/23/14)'
Write-Host "Original string: $date"
$dateTime = [datetime]$date
Write-Host "DateTime object: $dateTime"
Don't retire TechNet! -
(Don't give up yet - 12,830+ strong and growing)

Use Active Directory to Authenticate to OS X Server VPN

I have a Windows 2008r2 Small Business Server that I use primarily but, I have to integrate with services on my Mac Mini OS X Server.
First off, I have all updates loaded and everything runs great between both servers. My OS X server does not have Open Directory running; only services such as FTP, VPN, and File Sharing. I have joined the server to Active Directory and can log into the server as a Active Directory user. I have assigned the rights to even log on with my AD credentials to that server and be an admin. I know that everything is working fine between the 2 servers and I am pretty happy with the way it is working.
My challenge deals with authenticating to these services; specifically VPN, on the OS X server with Active Directory credentials.
When I open the server app, I go to the users section and then, I cahnge it from "local users" to "Users from 'domain.'"
Next, I select the account that I am trying to allow access to the VPN services and select it in the check mark area.
I try to log into the VPN and continually get an authentication error.
I have tried the following combinations for the login:
domain\user.name
domain.local\user.name
user.name
user.name@domain
[email protected]
None of these authentication attempts are successful.
I have successfully authenticated with a local user account that I created on the OS X server and it works flawlessly.
Has anyone ever attempted this? Has anyone ever had any success with this? I have been spinning my tires on this for 3 weeks and have finally given up and have to ask for help.
I appreciate anyone's feedback.

Here is a properly connected client
2013-07-16 22:37:27 EDT          Incoming call... Address given to client = 10.1.1.231
Tue Jul 16 22:37:27 2013 : Directory Services Authentication plugin initialized
Tue Jul 16 22:37:27 2013 : Directory Services Authorization plugin initialized
Tue Jul 16 22:37:27 2013 : L2TP incoming call in progress from '10.1.1.109'...
Tue Jul 16 22:37:27 2013 : L2TP received SCCRQ
Tue Jul 16 22:37:27 2013 : L2TP sent SCCRP
Tue Jul 16 22:37:27 2013 : L2TP received SCCCN
Tue Jul 16 22:37:27 2013 : L2TP received ICRQ
Tue Jul 16 22:37:27 2013 : L2TP sent ICRP
Tue Jul 16 22:37:27 2013 : L2TP received ICCN
Tue Jul 16 22:37:27 2013 : L2TP connection established.
Tue Jul 16 22:37:27 2013 : using link 0
Tue Jul 16 22:37:27 2013 : Using interface ppp0
Tue Jul 16 22:37:27 2013 : Connect: ppp0 <--> socket[34:18]
Tue Jul 16 22:37:27 2013 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x51bcd2b8> <pcomp> <accomp>]
Tue Jul 16 22:37:27 2013 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2a2e6968> <pcomp> <accomp>]
Tue Jul 16 22:37:27 2013 : lcp_reqci: returning CONFACK.
Tue Jul 16 22:37:27 2013 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x2a2e6968> <pcomp> <accomp>]
Tue Jul 16 22:37:27 2013 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x51bcd2b8> <pcomp> <accomp>]
Tue Jul 16 22:37:27 2013 : sent [LCP EchoReq id=0x0 magic=0x51bcd2b8]
Tue Jul 16 22:37:27 2013 : sent [CHAP Challenge id=0x99 <25530231620a2a32144123670735585d>, name = "server1.domain.com"]
Tue Jul 16 22:37:27 2013 : rcvd [LCP EchoReq id=0x0 magic=0x2a2e6968]
Tue Jul 16 22:37:27 2013 : sent [LCP EchoRep id=0x0 magic=0x51bcd2b8]
Tue Jul 16 22:37:27 2013 : rcvd [LCP EchoRep id=0x0 magic=0x2a2e6968]
Tue Jul 16 22:37:27 2013 : rcvd [CHAP Response id=0x99 <e05bcc591f50471f1db5dc92e30eda800000000000000000799cfb93fa3a0b70d15a018b1b1db9 9877e05463f540e54400>, name = "localusername"]
Tue Jul 16 22:37:27 2013 : sent [CHAP Success id=0x99 "S=D079042B80380C3806A1EAE231CAE53074ED1F88 M=Access granted"]
Tue Jul 16 22:37:27 2013 : CHAP peer authentication succeeded for localusername
Tue Jul 16 22:37:27 2013 : DSAccessControl plugin: User 'localusername' authorized for access
Tue Jul 16 22:37:27 2013 : sent [IPCP ConfReq id=0x1 <addr 10.1.1.3>]
Tue Jul 16 22:37:27 2013 : sent [ACSCP ConfReq id=0x1]
Tue Jul 16 22:37:27 2013 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue Jul 16 22:37:27 2013 : ipcp: returning Configure-NAK
Tue Jul 16 22:37:27 2013 : sent [IPCP ConfNak id=0x1 <addr 10.1.1.231> <ms-dns1 10.1.1.2> <ms-dns3 10.1.1.2>]
Tue Jul 16 22:37:27 2013 : rcvd [IPV6CP ConfReq id=0x1 <addr fe80::426c:8fff:fe0c:4d37>]
Tue Jul 16 22:37:27 2013 : Unsupported protocol 0x8057 received
Tue Jul 16 22:37:27 2013 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 42 6c 8f ff fe 0c 4d 37]
Tue Jul 16 22:37:27 2013 : rcvd [ACSCP ConfReq id=0x1 <route vers 16777216> <domain vers 16777216>]
Tue Jul 16 22:37:27 2013 : sent [ACSCP ConfAck id=0x1 <route vers 16777216> <domain vers 16777216>]
Tue Jul 16 22:37:27 2013 : rcvd [IPCP ConfAck id=0x1 <addr 10.1.1.3>]
Tue Jul 16 22:37:27 2013 : rcvd [ACSCP ConfAck id=0x1]
Tue Jul 16 22:37:27 2013 : sent [ACSP data <payload len 15, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
    <domain: name mtg.local>]
Tue Jul 16 22:37:27 2013 : sent [ACSP data <payload len 12, packet seq 0, CI_ROUTES, flags: START END REQUIRE-ACK>
    <route: address 10.1.1.1, mask 255.255.255.0, flags: PUBLIC>]
Tue Jul 16 22:37:27 2013 : rcvd [IPCP ConfReq id=0x2 <addr 10.1.1.231> <ms-dns1 10.1.1.2> <ms-dns3 10.1.1.2>]
Tue Jul 16 22:37:27 2013 : ipcp: returning Configure-ACK
Tue Jul 16 22:37:27 2013 : sent [IPCP ConfAck id=0x2 <addr 10.1.1.231> <ms-dns1 10.1.1.2> <ms-dns3 10.1.1.2>]
Tue Jul 16 22:37:27 2013 : ipcp: up
Tue Jul 16 22:37:27 2013 : found interface en0 for proxy arp
Tue Jul 16 22:37:27 2013 : local IP address 10.1.1.3
Tue Jul 16 22:37:27 2013 : remote IP address 10.1.1.231
Tue Jul 16 22:37:27 2013 : l2tp_wait_input: Address added. previous interface setting (name: en0, address: 10.1.1.3), current interface setting (name: ppp0, family: PPP, address: 10.1.1.3, subnet: 255.255.255.0, destination: 10.1.1.231).
Tue Jul 16 22:37:27 2013 : rcvd [ACSP data <payload len 0, packet seq 0, CI_DOMAINS, flags: ACK>]
Tue Jul 16 22:37:27 2013 : rcvd [ACSP data <payload len 0, packet seq 0, CI_ROUTES, flags: ACK>]

Snow leopard Active directory account taking a long time to verify password

Hi,
My mac is configured to use an active directory account (windows small biz server 2008), i configured a mobile account when i was still under leopard and it was working fine. Since i upgraded to snow leopard i started experience the following issues:
When i am out of the office (not connected on the domain), logging in to my mac take about 5min after i type the password, same thing when the mac awakes from sleep, i type my password and it says verifying password and this takes about 5 minutes to complete! Another issue i am experiencing is that whenever i put my mac to sleep, when it wakes up most of the running applications crash and i have to restart them. i was hoping 10.6.2 would fix that but it didn't.
Sorry for the long post. Thank you in advance for your support!

I guess we will have to wait for someone to give us a clue, or for apple to release 10.6.3 .

How to avoid duplicate DN exception when creating Active Directory Account

I am using OIM 9.1.0.2 to provision Active Directory accounts.
I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a number or something like that to the DN
Here is an example.
User 1 exists already and their DN: cn=john smith, cn=users, dc=company,dc=org
New user joins the company and his name is also john smith and he has no middle name: so system attempts to create his account as cn=john smith, cn=users, dc=company,dc=org
how can I accomplish this by making the account say cn=john smith_1, cn=users, dc=company,dc=org

855640 wrote:
I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a number or something like that to the DN
There are two different questions:
1. How to generate a sequence of candidates for the name attribute
2. How to check if a record with the given name candidate already exists in the Active Directory, and hence try the next candidate from the sequence.
The answer for the first part is usually defined by the policy existing in your organization, in the simplest case you can append sequential integer numbers to the end of the original name.
The answer for the second question is not so simple if you use are provisioning with MSAD connector.
There are two places you can put the check:
-- in the pre-populate adapter for the UD_ADUSER_COMMONNAME field
-- in the adpADCSCREATEUSER event handler, which is responsible for new AD user record creation.
Both cases need some coding, since you have to obtain the AD connection and search AD for matching records.
Pros & cons
Placing check code in the pre-populate adapter:
Pros:
the result is visible in the form, administrator can change the pre-calculated value if he wishes
Cons:
you need to have all access to connection parameters, and establish one extra connection
this is not the way OIM is supposed to work :-(
Placing check code in the AD user creation task:
Pros:
you have all access to connection parameters, and open a connection here anyway
Cons:
the result is not present in the form, so no way for manual interaction by administrator here
BTW: this problem is not only related to DN generation, some other AD attributes (e.g. sAMAccountName, mailNickName, userPrincipalName, mail) should be unique in the AD domain scope.
Edited by: madhatter on Sep 7, 2012 12:02 AM

ActiveSync mail/contacts/calendars removed after Active Directory account is locked out?

Hey guys,
Wondering if anybody has seen an issue like this. This is a new Exchange 2010 deployment (8+ CAS servers) and the devices are all iPhones/iPads running the latest version of iOS (7.1.2). The CAS servers are behind a load-balancer.
Basically when a users' Active Directory account is Locked in AD (either manually or by entering the wrong password) their ActiveSync Contacts, Calendars and all Mail folders (except the Inbox strangely!) will be removed from the iOS device within a few hours. So an account might get locked out at say 6pm, if left locked out by the next morning the ActiveSync account will still be setup on the device as normal, but everything is gone except the mail in the Inbox. If a user has an iPad and iPhone both will be blanked.
The behaviour is similar to what is documented here - iOS: How to mitigate a full sync or reload of Exchange account data - however the Exchange servers are not issuing HTTP500 errors as we have captured logging during the window where the device blanks itself.
Any thoughts would be appreciated!
Thanks!

Hello,
which event ids are shown in the event viewer from the DCs? Or maybe locally also some errors are locked that give some more details.
If this happens it sounds personally for me that Java is the problem. Have you already opened a call at
https://community.oracle.com/welcome ?
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Time Machine Backup using Active Directory account

I have two macbook pros (running 10.6.4) using Active Directory accounts and I am trying to backup them up to an Active Directory integrated XServe (running 10.6.4) with a shared Time Machine backup point. I open Time Machine preferences, select the disk, entering username and password, and it starts trying to make the backup disk available. However, it quits and gives me the following error - the network backup disk could not be accessed because there was a problem with the network username and password. The username and password are correct. I have tried three different accounts and they all produce this error.

This happened to an issue AFP. I had AFP authentication set to use Kerberos. I changed it to use "Any Method" and it is working properly.

Active Directory not replicating from SBS 2003 to Server 2008 R2 Standard

I have an old SBS 2003 server and am migrating to a 2008 R2 server. I followed this guide:
http://demazter.wordpress.com/2010/04/29/migrate-small-business-server-2003-to-exchange-2010-and-windows-2008-r2/
I followed the guide (except the exchange stuff, because they are moving from exchange to Google apps for business) and everything went fine.
I removed the sbs from Domain controller status (dcpromo'ed it out) and everything seemed to go fine. I haven't turned off the old server yet, because they are still using it for a couple of other unrelated applications.
After I did this I added new computers to active directory, but they only showed up on the active directory on the old sbs (I think something went wrong when I too the old sbs out of domain controller status).
I ran dcdiag on the new server and this is the result:
  Time Generated: 01/10/2014   14:57:56
            Event String:
            The SiSRaid4 service failed to start due to the following error:
         An error event occurred. EventID: 0xC0001B58
            Time Generated: 01/10/2014   14:57:56
            Event String:
            The stexstor service failed to start due to the following error:
         An error event occurred. EventID: 0xC0001B58
            Time Generated: 01/10/2014   14:57:56
            Event String:
            The vhdmp service failed to start due to the following error:
         An error event occurred. EventID: 0xC0001B58
            Time Generated: 01/10/2014   14:57:56
            Event String:
            The vsmraid service failed to start due to the following error:
         A warning event occurred. EventID: 0x8000001D
            Time Generated: 01/10/2014   14:58:00
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
         An error event occurred. EventID: 0x0000164A
            Time Generated: 01/10/2014   14:58:20
            Event String:
            The Netlogon service could not create server share C:\Windows\SYSVOL
\sysvol\PIIKANIPW.local\SCRIPTS. The following error occurred:
         An error event occurred. EventID: 0xC0001B58
            Time Generated: 01/10/2014   14:58:21
            Event String:
            The Qntm3520 service failed to start due to the following error:
         An error event occurred. EventID: 0x00000422
            Time Generated: 01/10/2014   14:58:36
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
         A warning event occurred. EventID: 0x00002724
            Time Generated: 01/10/2014   14:58:40
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For
reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         A warning event occurred. EventID: 0x800013B8
            Time Generated: 01/10/2014   14:58:49
            Event String:
            The application '/tmsWebAgent' belonging to site '1' has an invalid
AppPoolId 'Classic .NET AppPool' set. Therefore, the application will be ignore
d.
         A warning event occurred. EventID: 0x80003BC4
            Time Generated: 01/10/2014   15:01:53
            Event String:
            SSL Certificate Settings deleted for Port : 0.0.0.0:50106 .
         A warning event occurred. EventID: 0x80003BC5
            Time Generated: 01/10/2014   15:01:53
            Event String:
            SSL Certificate Settings created by an admin process for Port : 0.0.
0.0:50106 .
         An error event occurred. EventID: 0xC0001B7A
            Time Generated: 01/10/2014   15:01:59
            Event String:
            The TMS Print Agent service terminated unexpectedly. It has done th
is 1 time(s).
         A warning event occurred. EventID: 0x0000000C
            Time Generated: 01/10/2014   15:02:00
            Event String:
            Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
         An error event occurred. EventID: 0x0000165B
            Time Generated: 01/10/2014   15:02:34
            Event String:
            The session setup from computer 'PK-PC1' failed because the se
curity database does not contain a trust account 'PK-PC1$' referenced by t
he specified computer.
         An error event occurred. EventID: 0x00000422
            Time Generated: 01/10/2014   15:03:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
         A warning event occurred. EventID: 0x000727AA
            Time Generated: 01/10/2014   15:04:01
            Event String:
            The WinRM service failed to create the following SPNs: WSMAN/PKDC01.
PIIKANIPW.local; WSMAN/PKDC01.
         A warning event occurred. EventID: 0x80003BC4
            Time Generated: 01/10/2014   15:06:54
            Event String:
            SSL Certificate Settings deleted for Port : 0.0.0.0:50106 .
         A warning event occurred. EventID: 0x80003BC5
            Time Generated: 01/10/2014   15:06:54
            Event String:
            SSL Certificate Settings created by an admin process for Port : 0.0.
0.0:50106 .
         An error event occurred. EventID: 0x00000422
            Time Generated: 01/10/2014   15:08:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
         An error event occurred. EventID: 0x000016AD
            Time Generated: 01/10/2014   15:13:21
            Event String:
            The session setup from the computer PK-PC1 failed to authentic
ate. The following error occurred:
         An error event occurred. EventID: 0x00000422
            Time Generated: 01/10/2014   15:13:38
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
         An error event occurred. EventID: 0x00000422
            Time Generated: 01/10/2014   15:18:39
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
         An error event occurred. EventID: 0x00000422
            Time Generated: 01/10/2014   15:20:28
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
         An error event occurred. EventID: 0x00000457
            Time Generated: 01/10/2014   15:20:33
            Event String:
         An error event occurred. EventID: 0x00000422
            Time Generated: 01/10/2014   15:23:39
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
         An error event occurred. EventID: 0x00000422
            Time Generated: 01/10/2014   15:28:40
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
         An error event occurred. EventID: 0x00000422
            Time Generated: 01/10/2014   15:33:41
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
transient and could be caused by one or more of the following:
         An error event occurred. EventID: 0x00000422
            Time Generated: 01/10/2014   15:38:41
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
file \\PIIKANIPW.local\sysvol\PIIKANIPW.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved.
         ......................... PKDC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... PKDC01 passed test VerifyReferences
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   Running partition tests on : PIIKANIPW
      Starting test: CheckSDRefDom
         ......................... PIIKANIPW passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... PIIKANIPW passed test CrossRefValidation
   Running enterprise tests on : PIIKANIPW.local
      Starting test: LocatorCheck
         ......................... PIIKANIPW.local passed test LocatorCheck
      Starting test: Intersite
         ......................... PIIKANIPW.local passed test Intersite
I also noticed that the SYSvol share on the new server is empty and the NETLOGON share doesn't exist.
Please help! Thanks.

Hi,
Do you currently have any relevant errors in your System or Application logs?
Seems like the replication is not successfully.
An SBS server shouldn't shut down upon detecting the existence of another DC as that's a fully supported scenario.
Regards.
Vivian Wang

What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
We do utilize the same structure for user ID's.
I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
Thanks
Mike

Hey Mike,
The process is pretty straight forward. CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account. The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.
I recommend the following if you'd like to move to AD.
Run a DRS backup of CUCM. This is not necessary for the integration but is good practice in my opinion. I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD. Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.
Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts. That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc. If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username.
Create an account in AD that has read-only rights to your directory. Set the password to never expire. You will use this account later for the integration.
In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
Also in CUCM, navigate to the administration page and do the following:
Go to System > LDAP > LDAP System and Check the box to enable Synchronizing. Confirm the LDAP server type and attribute for User ID is accurate. This is typically Microsoft Active Directory and sAMAccountName respectively.
Go to System > LDAP > LDAP Directory
Click Add New
Give it a name (whatever you want).
Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
Enter the password for the account.
Enter the search base. This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain. If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
Select the option to perform a sync with AD on periodic intervals. The lowest interval you can set is every 6 hours.
Select either the telephonenumber or ipPhone field to be used for the user's extensions. This will be whatever you decided and populated in AD in an earlier step.
Add your primary and any backup domain controllers and ports. If they are just domain controllers and you are not using SSL then specify port 389. If they are also global catalog servers then you can do port 3268.
Click Save and Click the "Perform Full Sync Now" button.
I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD. To add this do the following:Go to System > LDAP > LDAP Authentication.
Click Add New
Check the box to use LDAP Authentication
Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section. Also add the same primary and secondary LDAP servers and ports you used earlier.
Click Save
You can go a step further and create a filter to only pull in the users within the search base you specified and apply that. For example, maybe only pull in users that have their ipPhone field populated. Let me know if you have any questions on that or any of the above.
I hope this helps!

Cant login to 10.6 from an active directory account

cant login to 10.6 from an active directory account

You haven't provided nearly enough background of your Network for anyone to help you.
Please include an enormous amount of information about:
1) your Mac and the network it is on.
2) How you have established the link to the Active Directory
3) exactly what happens when you try to connect, including the literal text of all error messages.

ICloud/iTunes Account Locking out Active Directory Account [?]

The facts:
I have been having this problem for the past four+ months.
My work email address is my iTunes account name
My work AD account gets logged out most evenings, sometimes within an hour of leaving work, sometimes late at night
I know when my account is logged out because my iPhone will ask for my Exchange password, or I cannot get into Outlook Web Access
When my iTunes/iCloud account password is the same as my Active Directory password this does not happen. When this was the case earlier this year I went 90 days without a lockout. The day after my password expired and I changed my password - locked out again
Exchange recognizes two mobile devices, my iPad2 and my iPhone 4, as mobile ActiveSync clients
I have reset both of these devices, updated to the latest iOS and reinstalled and reconfigured my apps
This occurs even when neither of these devices has an active ActiveSync account set up to use my work Exchange server
The keyrings (Mac) and Credential Managers (PC) of all my home machines have been sanitized
Mail (Mac) and Outlook are not configured on my home machines, and they are not affiliated with the work domain in any way
From these facts it seems to me that the issue is:
There exists a machine attempting to reach my Exchange account using a password I have used in the past
If it is a computer that I have possession of, it must be an iDevice, because this behavior has still occurred when all others have been powered off
If it is an iDevice under my control then it is something in iCloud/iTunes, because it does not depend on having the Exchange account configured on either iDevice and those are the only applications with knowledge of my work email address
So,
If it is my iCloud/iTunes account then WHY in the name of all that is sacred is it hitting my work Exchange server and locking out my account?
I can think of no other -possible- devices or online services that have both that password, and knowledge of that email address. I remotely wiped an old phone that might have had the email account configured.
Help?

I would very much like to hear from someone at Apple regarding this as I'm having a very similar if not the exact same issue.

Active Directory account lockout from OS X Server

Similar Messages

Maybe you are looking for